Route OPNSense updates over VPN

Started by DemonWall, September 21, 2025, 08:33:14 PM

Previous topic - Next topic
I have a new device running version 24.7 (pre-installed), which has not yet been connected to the internet. I have done some initial setup to route LAN traffic over WireGuard to my VPN provider, and to setup Unbound DNS in preparation for connection to the outside world. I would like to ensure that traffic from the OPNSense device itself is also routed through the WireGuard gateway. For example, I want OPNSense system/security updates to be downloaded through my VPN provider. I also want my DNS blocklists to be downloaded through my VPN provider. (I live in a college town where internet/wi-fi abuse is rampant; my cable modem should be considered HOSTILE.)

I used this guide for VPN setup: <https://kb.protectli.com/kb/proton-vpn-opnsense-protectli-vault/>

Is the OPNSense box itself considered part of LAN, such that I don't need to be concerned about this?
Or, do I need a separate firewall rule to ensure that OPNSense traffic also goes through my WireGuard tunnel? How do I identify OS traffic and specify that it should be routed like any other LAN traffic?
(I am concerned about the automatically generated rule "let out anything from firewall host itself".)